changelog for 0.2.5.16

2017-11-30 15:26:33 -05:00 · 2017-11-30 15:26:33 -05:00 · b97fb313a9
parent 4902cfcf19
commit b97fb313a9
6 changed files with 45 additions and 34 deletions
--- a/45
+++ b/45
@ -1,3 +1,48 @@
+Changes in version 0.2.5.16 - 2017-12-01
+  Tor 0.2.5.13 backports important security and stability bugfixes from
+  later Tor releases. All Tor users should upgrade to this release, or
+  to another of the releases coming out today.
+
+  Note: the Tor 0.2.5 series will no longer be supported after 1 May
+  2018. If you need a release with long-term support, please upgrade to
+  the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
+
+  o Major bugfixes (security, backport from 0.3.2.6-alpha):
+    - Fix a denial of service bug where an attacker could use a
+      malformed directory object to cause a Tor instance to pause while
+      OpenSSL would try to read a passphrase from the terminal. (Tor
+      instances run without a terminal, which is the case for most Tor
+      packages, are not impacted.) Fixes bug 24246; bugfix on every
+      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
+      Found by OSS-Fuzz as testcase 6360145429790720.
+    - When checking for replays in the INTRODUCE1 cell data for a
+      (legacy) onion service, correctly detect replays in the RSA-
+      encrypted part of the cell. We were previously checking for
+      replays on the entire cell, but those can be circumvented due to
+      the malleability of Tor's legacy hybrid encryption. This fix helps
+      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
+      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
+      and CVE-2017-8819.
+
+  o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
+    - When running as a relay, make sure that we never build a path
+      through ourselves, even in the case where we have somehow lost the
+      version of our descriptor appearing in the consensus. Fixes part
+      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
+      as TROVE-2017-012 and CVE-2017-8822.
+
+  o Minor features (bridge, backport from 0.3.1.9):
+    - Bridges now include notice in their descriptors that they are
+      bridges, and notice of their distribution status, based on their
+      publication settings. Implements ticket 18329. For more fine-
+      grained control of how a bridge is distributed, upgrade to 0.3.2.x
+      or later.
+
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
+      Country database.
+
+
 Changes in version 0.2.5.15 - 2017-10-25
  Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
  series. It also adds a new directory authority, Bastet.
--- a/changes/bug18329-minimal
+++ b/changes/bug18329-minimal
@ -1,6 +0,0 @@
-  o Minor features (bridge):
-    - Bridges now include notice in their descriptors that they are bridges,
-      and notice of their distribution status, based on their publication
-      settings.  Implements ticket 18329.  For more fine-grained control of
-      how a bridge is distributed, upgrade to 0.3.2.x or later.
-
--- a/changes/geoip-2017-11-06
+++ b/changes/geoip-2017-11-06
@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
-      Country database.
-
--- a/changes/trove-2017-009
+++ b/changes/trove-2017-009
@ -1,10 +0,0 @@
-  o Major bugfixes (security):
-    - When checking for replays in the INTRODUCE1 cell data for a (legacy)
-      hiddden service, correctly detect replays in the RSA-encrypted part of
-      the cell. We were previously checking for replays on the entire cell,
-      but those can be circumvented due to the malleability of Tor's legacy
-      hybrid encryption. This fix helps prevent a traffic confirmation
-      attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also
-      tracked as TROVE-2017-009 and CVE-2017-8819.
-
-
--- a/changes/trove-2017-011
+++ b/changes/trove-2017-011
@ -1,8 +0,0 @@
-  o Major bugfixes (security):
-    - Fix a denial of service bug where an attacker could use a malformed
-      directory object to cause a Tor instance to pause while OpenSSL would
-      try to read a passphrase from the terminal. (If the terminal was not
-      available, tor would continue running.)  Fixes bug 24246; bugfix on
-      every version of Tor.  Also tracked as TROVE-2017-011 and
-      CVE-2017-8821.  Found by OSS-Fuzz as testcase 6360145429790720.
-
--- a/changes/trove-2017-012-part1
+++ b/changes/trove-2017-012-part1
@ -1,6 +0,0 @@
-  o Major bugfixes (security, relay):
-    - When running as a relay, make sure that we never build a path through
-      ourselves, even in the case where we have somehow lost the version of
-      our descriptor appearing in the consensus. Fixes part of bug 21534;
-      bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012
-      and CVE-2017-8822.